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Abstract. Pseudorandomness has played a central role in modern cryptography, finding theo- 
retical and practical applications to various fields of computer science. A function that generates 
such pseudorandom strings from shorter but truly random seeds is known as a pseudorandom 
generator. Our generators are designed to fool languages, rather than probabilistic algorithms. 
On ■ In particular, our generators take context-free languages with advice as their adversaries. We 

' present an explicit example of such a pseudorandom generator, which can be also computed by a 

. single-tape deterministic Turing machine running in time 0{n^). In contrast, we show that there 

is no almost 1-1 pseudorandom generator against even context-free languages (without advice) 
, if we demand it should be computed by a nondeterministic pushdown automaton equipped with 

' a write-only output tape. Our proofs are all elementary, requiring no complicated proof tech- 

'"^ I niques as in a polynomial-time setting, and utilize a specific feature of nondeterministic pushdown 

'^•O . automata, which is interesting on its own light. 
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1 Introduction 

In early 1980s, Blum and Micali [3 proposed a generator that produces a sequence in which any reasonable 
adversary hardly predicts the sequence's next bit. Although fundamentally equivalent, Yao [10] considered 
I a generator that produces a sequence which no adversary distinguishes from a uniformly random sequence 

. with a small margin of error. Such a generator is known as a pseudorandom generator, which has played 

CSJ ' as an important cryptographic primitive. The existence of a (polynomial-time computable) pseudorandom 

, generator is, unfortunately, unknown unless we impose certain unproven complexity-theoretical assumptions. 

' As a main theme of this paper, we study a specific type of pseudorandom generator, whose adversaries are 

^\ \ represented in a form of "languages" (or their "characteristic functions" ), compared to standard "probabilistic 

I algorithms." Such a generator also appears when the generator's adversaries are "Boolean circuits." As our 

limited adversaries, we consider most fundamental languages in formal language theory — regular languages 
and context-free languages, which have been extensively studied since the 1950s. An immediate advantage 
^ ■ of dealing with such weak adversaries is that we can obtain corresponding pseudorandom generators without 

^ , any unproven assumption. 

Intuitively, a function G, which stretches ri-bit seeds to s(n)-bit long strings, is said to fool a language A 
over the binary alphabet S = {0, 1} if the characteristic functiorQ xa of A cannot distinguish between the 
output distribution {G{x)}xeT:" of G and a truly random distribution {yjj^gsstn) with non- negligible success 
probability. We call G a pseudorandom generator against a language family C if G fools every language A 
over S in C. 

A natural question is whether there exists an "easy-to-compute" pseudorandom generator against low- 
complexity languages. It was proven in [9] that a certain function computed by nondeterministic pushdown 
automata (or npda's) equipped with write-only output tapes (the set of those functions is denoted CFLSVt, 
similar to NPSVt) can be a pseudorandom generator even against the advised class REG/n (which is, loosely 
speaking, the family of regular languages supplemented, in parallel to inputs, by advice strings of size n, when 
n is the size of input [IlIH]). Moreover, such a generator can be "almost" 1-1 with a stretch factor exactly 
n + 1. The existence of such a pseudorandom generator is an evidence that a complexity gap between CFL 



*The characteristic function XA of ^ language A is defined as Xa{^) = 1 if a; £ A and Xa{^) = otherwise, for every input 
string X. 
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and REG/n is considerably wide. Can we make such a generator much easier-to-compute? Unfortunately, no 
almost 1-1 pseudorandom generator against REG (regular language family) can be computed by a single-tape 
linear-time off-line Turing machine [Qj. 

As a natural extension of REG, we turn our attention to CFL, the family of context-free languages. 
Our main question is what the computational complexity of pseudorandom generators against the advised 
class CFL/n is, where, similar to REG/n, CFL/n is obtained from CFL by providing advice in parallel to 
inputs. Notice that CFL/n is quite different from REG/n; for instance, CFL/n ^ co-CFL/n [8] whereas 
REG/n — CO- REG/n. A simple way to construct a pseudorandom generator of a desired type is to use a 
so-called diagonalization technique: first enumerate all advised languages in CFL/n and then diagonalize 
them one by one to determine an outcome of the generator. However, such a method provides us only with 
a generator of significantly high complexity. 

In this paper, however, we shall give an explicit example of a pseudorandom generator in 1-FTIME (0(n^)) 
against CFL/n, where l-FTIME(t(n)) is the set of functions computable by single-tape one-head off-line Tur- 
ing machines running within time t{n). Our generator does not involve any diagonalization-type construction 
and our proof of the generator's pseudorandomness is elementary, requiring no complex arguments usually 
found in a polynomial-time setting. For our proof, we require only two previously known results: a dis- 
crepancy upper bound of the inner-product-modulo-two function and a behavioral property of npda's. In 
particular, from such a property, we can derive a so-called swapping property of npda's, which is also interest- 
ing on its own light. To counter this example, additionally, we shall prove that no almost 1-1 pseudorandom 
generator even against CFL can be computed by npda's with write-only output tapes. 

2 Fundamental Notions and Notations 

Let N denote the set of all nonnegative integers. A function from N to M-" (nonnegative reals) is negligible 
if, for every non-zero polynomial p, fJ-{n) < l/p{n) for all but finitely many numbers n in N. For any two 
sets A and B, their symmetric difference AAB is the set {A ~ B) U {B ~ A). 

Let S be our alphabet (i.e., a finite nonempty set). A string a; is a finite sequence of symbols taken from 
S. The empty string is always denoted A. The length of a string x, denoted is the number of symbols 
in X. Let S* be the set of all strings over E. For each number i G N, the notation S" (resp., E-") denotes 
the set of all strings of length exactly n (resp., less than or equal to n). A language over E is a subset of E*. 
For a language S over E and any number n G N, dense{S){n) denotes the cardinality of the set 5' n E". The 
notation XA denotes the characteristic function of A; namely, xa(x) = 1 if x G A and xa{x) = otherwise. 

For any string x of length n, let prefi{x) denote the string consisting of the first i symbols of x and 
similarly let sufj{x) be the string made up from the last j symbols of x. Moreover, we denote by middij{x) 
the string obtained from x by deleting the first i symbols and the last n — j symbols. 

Let REG and CFL denote respectively the family of regular languages and the family of context-free lan- 
guages. It is well known that regular languages and context-free languages are characterized by deterministic 
finite automata (or dfa's) and nondeterministic pushdown automata (or npda's), respectively. 

An advice function is a map / from N to F*, where F is an appropriate alphabet. A language L over an 
alphabet E is in an advised class C/n if there exist another alphabet F, an advice function h from N to F*, 
and a language 5' G C over F such that, for every string x e E*, a; e L iff [ ^(j^^i) ] G S, where [ ^ ] denote 
a string made from x and y in parallel [7]. More precisely, for any pair of symbols u G Ei and r G E2, the 
notation [ " ] denotes a new symbol made from a and r. For two strings x — X1X2 • • • x„ and y — 2/12/2 ■ ■ ■ Vn 
of the same length n, the notation [ ^ ] is shorthand for the string [ 1\ ][ ] • ■ • [ ]. 

We assume that the reader is familiar with fundamental definitions and properties of nondeterministic 
pushdown automata (or ndpa's). For our convenience, we always assume that an input tape has two end- 
markers, which surround an input string. See Section[n]for more details. We also use a model of a single-tape 
one-head off-line Turing machine, which is used to accept/reject an input string or to produce an output 
on this single tape. Let l-FTIME(t(n)) denote the set of all single-valued total functions computable by 
those single-tape one-head off-line deterministic Turing machines running in time at most t{n). In particular, 
we write 1-FLIN for l-FTIME(0(n)). Moreover, we introduce CFLSVt as the set of all single-valued total 
functions computed by npda's that are equipped with single write- only output tapes whose heads cannot go 
back to read already written symbols, provided that a string written on a single output tape along an npda's 
computation path is valid if the path is an accepting computation path ^ . 
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3 Pseudorandom Generators and the Main Result 



We shall explicitly state our main result of this paper. We formally introduce the notion of pseudorandom 
generator whose adversaries are languages (or their associated characteristic functions): particularly, context- 
free languages with advice. 

Let S — {0, 1}. We say that a function G from S* to S* has a stretch factor s{n) if |G(a;)| — s{\x\) 
holds for any string x G Tj* . We use the notation Piohx£T,"[P{x)] to denote the probability, over a random 
variable x distributed uniformly over E", that the property Vix) holds. When the probability space E" is 
clear from the context, we omit the script "S"" altogether. 

Definition 3.1 A function G is said to fool a language A over E if the function £(n) = 
\PYohx[x a(G{x)) = 1] — Prohy[xA{y) = 1]| is negligible, where x and y are random variables over E" and 
■^s{n) ^ i-espectively. A function G is called a pseudorandom generator against a language family C if G fools 
every language A over the alphabet S in C. 

In this paper, we are mostly focused on generators whose stretch factor is n + I. Such a generator G is 
called almost 1-1 if there is a negligible function T{n) > such that |{G(a;) | x G E"}| — |E"|(1 — T(n)) for 
all numbers n S N. 

The existence of pseudorandom generators against REG/n was briefly discussed in [9]; however, it has 
been unknown whether there exists an "easy-to-compute" pseudorandom generator against CFL/n. We 
begin with stating a positive result: the existence of such a generator in l-FTIME(0(n^)). 

Theorem 3.2 [main theorem] There exists an almost 1-1 pseudorandom generator in l-FTIME(0(n^)) 
against CFL/n with the stretch factor n + 1. 

Theorem 13. 21 can contrast with the following negative result, which indicates a computational limitation 
of pseudorandom generators even against the language family CFL (and thus against CFL/?i). 

Proposition 3.3 There is no almost 1-1 pseudorandom generator with the stretch factor n + 1 m CFLSVt 
against CFL. 

The rest of this paper is devoted to prove Theorem 13.21 and Proposition [3?3l In Section HI with help of a 
notion of gap pseudorandomness, we shall give the proof of Proposition [3T3] In Sections [5] [H we shall present 
the proof of Theorem 13.21 



4 Gap Pseudorandom Languages 

Before giving the proofs of Theorem 13.21 and Proposition 13.31 we shall discuss so-called gap pseudorandom 
languages and their close connection to our pseudorandom generators. We shall use this connection to prove 
the desired results in later sections. 

Meanwhile, we use the notation E to denote any alphabet with |E| > 2 and let C be any language family. 
In [S], the notion of C -pseudorandom languag^ was introduced in connection to pseudorandom generators 
against C. This connection, however, is based on the closure property of C under complementation. Because 
CFL/n is not closed under complementation [8 , we cannot use this connection directly. Instead, we consider 
a slightly weaker notion of gap C -pseudorandomness, which provides a similar connection without any closure 
property. 

Definition 4.1 A language L over an alphabet E is called gap C -pseudorandom if, for every language A over 

• 4-U -(■ -t- Dili \ \dense{LnA)(n)-de7ise{Lr\A)(n)\ . i • -1,1 ii, • r i • i 

E m C, the lunction t [n] — is negligible; that is, tor any non-zero polynomial 

p, there exists a positive number hq such that £"{n) < l/p{n) for all numbers n > uq. For any language 
family T>, we say that T> is gap C -pseudorandom if T> contains a gap C-pseudorandom language. 

We remark that, if C is closed under complementation, our notion of gap C-pseudorandomness is equivalent 
to that of C-pseudorandomness. However, we cannot assume such a closure property for C — CFL/?i. 

tA language L is C-pseudorandom if the function i{n) = '''^"^'^(^^"^)(") _ i jg negligible [9]. 
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An observation of a proof in [5] , which estabhshes a close bridge between C-pseudorandom languages and 
pseudorandom generators against C, draws the fact that the proof actually shows, without any closure prop- 
erty, an equivalence between the gap C-pseudorandomness and the existence of a pseudorandom generator 
against C. We state this fact as a lemma below. For any function from E* to S*, its range rang{G) is the 
set {G{w) I w e E*}. 

Lemma 4-2 [9] Let S = {0, 1}. Let C be any language family. Let G he any function from E* to E* with 
the stretch factor n + 1. Assume that G is almost 1-L The function G is a pseudorandom generator against 
C if and only if the set rang{G) is gap C-pseudorandom. 

The above lemma roughly says that, as far as G is almost 1-1, the pseudorandomness of the generator G 
can be proven by establishing the gap pseudorandomness of the range of G. Using this lemma, we can give 
our proof of Proposition 13.31 

Proof of Proposition [3751 Let G be any almost 1-1 pseudorandom generator against CFL. Now, assume 
that G belongs to CFLSVt. Let N be any npda with a write-only output tape computing G. By Lemma 
14.21 the set S =def rang{G) is gap CFL-pseudorandom, implying that S ^ CFL. We define a new npda M 
as follows. Let y be any input of length n > 1. We simulate TV using imaginary input and output tapes 
as follows. When N reads a new bit written on its imaginary input tape, M guesses such a bit (either 
or 1) and simulates iV's step. As far as iV's head keeps scanning the same tape cell, M uses the same bit 
without guessing another bit. If N writes down a bit b on its imaginary output tape, M first checks whether 
b appears on a cell where its head scans on its actual input tape, and then M simulates iV's move. If b 
does not match the bit written on M's input tape, then M immediately rejects the input y; otherwise, M 
continues its simulation of N step by step. When TV halts in an accepting state, then M also accepts the 
input. 

If 2/ G 5, then there exists a string x such that N on this input x produces y on its output tape along 
a certain accepting computation path, say, p. Consider an M's computation path in which M correctly 
guesses x and simulates iV on the path p. Along this path, M obviously accepts y. On the contrary, when 
y ^ S, there is no string x or accepting path so that N on the input x correctly produces y. This means 
that M never accepts y in any computation path. 

Therefore, M recognizes S. Since M is an npda, this draws a conclusion that S is context-free, contra- 
dicting our assumption that S is gap CFL-pseudorandom. □ 



Toward the end of this section, we shall prepare a useful language and its properties for the proof of our 
main theorem. We start with defining this language I Pi , which is founded on the (binary) inner product. 
The (binary) inner product between two binary strings x and y of length n is defined a,s x Q y = X]"=i ^iVi 

(3) 

if X = xiX2 ■ ■ ■ Xn and y = yiy2 • • • yn- The language /P* is then described as 

/pf ) = {axyz I a E E-^a;,y,z G E*, = \z\, \y\ = 2\x\,zxQy = 1 (mod 2)}. 

(3) 

Note that, in the above definition of /P* , we use the term "za; y" instead of "xz y" because, otherwise, 
our proof given in later sections may not work properly. Figure [1] illustrates an example of string axyz for 
/Pi'^'' when a = X. 

(3) 

We quickly discuss the complexity of the language /P* . Consider the following simple algorithm for 
JP* . Let w — axyz be any input, provided that \x\ — \z\, \y\ — 2\x\, and y is of the form y = yiy2 with 
|yi| = 1 2/2 1- First, we determine the size \a\. Consider the case where a — X. First, mark the boundaries 
among x, y, and z in the input xyz. Computer x Q y2 (mod 2) and z Q yi (mod 2) sequentially. Output 
the sum of these two products modulo two. It is not difficult to check that this algorithm takes time 0{n^). 
The other case where a 7^ A is similar. Hence, we obtain the following. We use the notation l-DTIME(i(n)) 
to denote a "language" version of l-FTIME(t(7i)); that is, l-DTIME(i(n)) = {A\xA& l-FTIME(i(n))}. 

Lemma 4.3 The language /Pi^' belongs to l-DTIME(0(7i2)). 

One of the most important ingredients of the proof of our main theorem is the gap CFL/n-pseudorandomness 
of IPi^K 
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Figure 1: An input string xyz to /P* , where i and j correspond to Lemma [01 



Proposition 4-4 The language /P* is gap CFL / n-pseudorandom. 

The proof of Proposition 14.41 wiU be given in Sections [BHS] An immediate corollary of Proposition 14.41 
together with Lemma [4.31 is the gap CFL/n-pseudorandomness of the language family l-DTIME(0(n^)). 
From this corollary, we also obtain a class separation: l-DTIME(0(n^)) ^ CFL/n, because C cannot be gap 
C-pseudorandom if S* G C. 

Corollary 4.5 The language family 1-DTIME (0(n2)) is gap GFIj / n-pseudorandom. 

5 Proof of Theorem D 

Using Proposition 14.41 we shall prove Theorcm l3.2[ which states the existence of a pseudorandom generator 
G in l-FTIME(0(?i^)) against CFL/n. Our construction of G is rather straightforward from the definition of 

(3) . (3) 

1 Pi and, therefore, the pseudorandomness of G follows directly from the gap pseudorandomness of /P* . 

First, we define a desired pseudorandom generator. Our input is of the form w = axybz with a G T,-^, 
b eT,, \x\ = \bz\, and \y\ — 2\x\. Consider the simplest case where a — X and \x\ = n. Define G as follows. 

1 If w — xybz and zx Q y = 1 (mod 2), then let G'(w) = xbybz. 

2 li w = xylz and zx Q y = (mod 2), then let G(w) = xlylz. 

3 li w = xyOz and zx Q y = (mod 2), then let i be the minimal index such that yi = 1 if any. 

3a If i exists and i < n — 1, then let G{w) = xOyOz, where z = z\Z2 • ■ ■ Zi-iZiZi^i • • • z„ if z = 

Z1Z2 ■ ■ ■ Zi ■ ■ ■ Zji- 

3b If i exists and n < i < 2n, then let G{w) — xOyOz, where x — X1X2 ■ ■ ■ Xi^n-iXi-nXi-n+i ■ ■ ■ a^n if 

X X1X2 ' ' ' Xl^yi • • • Xji. 

3c If i does not exist, then let G{w) — xlylz. 
If a 7^ A, then we define G{w) = aG{xyz). 

We need to prove that G satisfies the conditions necessary for a pseudorandom generator against CFL/n. 
Now, let us claim the following three properties. 

Claim 1 1. G is an almost 1-1 Junction. 

2. G IS m l-FTIME(0(n2)). 

3. rang{G) ^ IP^^K 

Proof. (1) By observing the definition of G, in all cases except for Case 3c, G is one-to-one on its domain. 
For each choice {x,z), however, G maps {a;0"lz, xO'^Oz} to a;10"l2:, making itself two-to-one. Since the 
number of such pairs (x, y) is exactly 2^", we conclude that \{G{w) \ w e > 2^^" - 2^" = 24"(1 - 1/22"). 
Hence, G is almost 1-1. 

(2) The proof of this claim is similar to Lemma 

(3) {rang{G) C IP^') Let u e rang{G) and assume that G{w) = u for a certain w. First, consider Case 

2 of the definition of G. It thus follows that u = xlylz, zxQy = (mod 2), and w = xylz. For convenience, 
we write z' = Iz and y' — ly. Since 

z'a;0y' = l0l-|-zx0?; = l + O = l (mod 2), 
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we obtain x'y'z £ IP^ ' . Thus, w belongs to I Pi . 

Next, consider Case 3b. In this case, we have w = xyOz, zx Q y = (mod 2), and u = xOyOz, where 
X — xiX2 • ■ ■ Xi^n-iXi-nXi-n+i • ' ' a^n if a: = X1X2 ■ ■ ' Xi-n ■ ■ ■ Xn and yi — 1 for the minimal index i. Let 
y' — Oy and z' = Oz. For convenience, write x^^^ to denote the x whose jth bit is removed. Similarly, we 
define y^^^ from y. Note that 

z'iQy' = + za;(*-") y^'^ + x— = zx^*"") y^^^ + x^-n J/t + 1 
= za;0y+l = O + l = 1 (mod 2) 

since Xi-n Q yi ^ Xi^n 2/i + 1 (mod 2). 

The other cases are similarly proven. Therefore, it holds that rang[G) C IPi'^\ 

{rang{G) 3 /Pi^'') Let u S /Pi^-* and assume that u = xy'z' with z'x y' = 1 (mod 2). If y' = by and 
z' — bz for a certain bit b, then it follows that zx Qy = z'x Qy' = 1 (mod 2). Since this case corresponds to 
Case 1 of the definition of G, if we set w = xybz, then we obtain G{w) = u, indicating that u G rang{G). 

Next, assume that u = x'OyOz'. Let y = j/12/2 ■ • ■ 2/2n- Now, consider the case where there exists the 
minimal index i such that yi = 1. Ifi<n — 1, then let w = xyOz, where x — x' and z is such that z — z' . 
Let z = 21^2 • ■ ■ Zn- Write z*^*^ (resp., y*-*-*) for the string obtained from z (resp., y) by flipping the ith bit. 
Clearly, it holds that 

zxQy + l = z^'^x + + 1 = z^a; 0y + z-0y, = z'a;0yEEl (mod 2), 

from which we conclude that zx Q y = (mod 2). Since this is Case 3a, we obtain G{w) ~ u and thus 
u £ rang{G). 

Since the other cases are similar, we have /P, C rang{G), as requested. □ 

Finally, we wish to show that G is indeed the desired pseudorandom generator. By Claim [TJl-2), G is 
an almost 1-1 function in l-FTIME(0(n^)). To show that G fools every language in CFL/n, by Lemma 

and Claim [T](3), it suffices to prove that I Pi is gap CFL/n-pseudorandom. This gap pseudorandomness is 
given in Proposition 14.41 Therefore, the theorem holds. 

6 Swapping Property of Context-Free Languages 

We begin our proof of Proposition 14.41 This proof requires a unique property of context-free languages, 
which we call a swapping property. In this section, we shall show this useful property. Here, the notation E 
is used to denote an arbitrary alphabet. 

Lemma 6.1 [swapping property lemma] Let L he any context-free language over an arbitrary alphabet E 
with > 2. For any triplet (jo, k,n) of numbers with jo > 2 and 2 jo < k < n, there exist an alphabet F 
and two series {Ae}eeA,o.fc,„ and {Pe}eeA,o,fc,„ , where Aj„^k.n = {« S [0,n]z, j £ [ja,k]z,,i+j < n,u,v £ F}, 
which satisfy the following three conditions. 

(1) For any index tuple {i,j,u,v) £ Aj^-,,k.n, we have Aij^u,v ^ S"^*^^ x and Bij ^,v ^ S-'. 

(2) For every w with \w\ > A, w £ L iff there exist an index tuple {i,j,u,v) £ Ajg^k,n and three strings 
x,y,z £ E* such that \x\ = i, \y\ — j, {z,x) £ Aij,u,v, y £ Bij,u,v, and w ~ xyz. 

(3) (swapping property) For every index e £ Ajg^k,n, if (21, xi, yi), (z2, 2:2, 2/2) £ Ae x Be, then 
{zi,xi,y2), {z2,x2,yi) £ A^ x B^. 

The reader may think it possible to obtain a similar result by following an argument used to prove the 
pumping lemma for context-free languages (see, e.g., [6] for the proof); however, such an argument may set 
jo to be a constant, which is independent of length n. For our proof of Proposition 14.41 we need jo to be 
chosen almost arbitrarily. 

The following proof of Lemma l6.1l uses a certain characteristic feature of npda's. 

Proof of Lemma l6.1l For the proof of the lemma, we need a specific simple form of npda's. Since n > 4, it 
is harmless to assume that L contains no empty string A. Let us consider any npda M — (Q, E, F, 6, qo, z, P), 
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where Q is a set of internal states, F is a stack alphabet, 5 is a transition function, qo (z Q is the initial 
state, z e r is the stack start symbol, and F C Q is a set of final states. For the functionality of these sets, 
see, e.g., [6j. For simplicity, we include two special end-markers ^ and $, which mark the left end and the 
right end of an input, respectively. Hereafter, we consider only inputs of the form(t;a;$ with x G S* and here 
we treat the endmarkers as a part of the input string x. For convenience, every tape cell is indexed with 
integers from left to right, and the left endmarker ^ is always written in the 0th cell. Any input string x of 
length n is written in the cells indexed between 1 and n and the right endmarker $ is written in the n + 1st 
cell. Notice that \^x$\ = n + 2. 

In what follows, we write the content of the stack of Af as s = S1S2S3 • • • Sm when the leftmost symbol si 
is located at the top of the stack and the rightmost symbol Sm is at the bottom of the stack. For any string 
X G S, ACC{x) denotes the set of all accepting computation paths of M on the input x. In addition, we set 
ACCn = {j.es^CC{x). 

Without loss of generality, we can impose the following restrictions on the behaviors of AI. For the proof, 
see [5] (or [8]). We set Q = {go, 9i, 9/}, z, S & F = {g/}, and 6 to satisfy the following four conditions. 

1 5{qo,^,z) = {{qi,Sz)}. 

2 %i,$,z) = {(g/,z)}. 

3 For any symbol a G E, S{qi, a, z) = 0. 

4 For any a G S, any w G F, and any w G F*, if (gi, w) G (5(gi, a, w), then < 2. 

Furthermore, we introduce a few new terminologies. An intercell boundary i is a boundary or a border 
between two adjacent cells, the ith cell and the i + 1st cell, in our npda's input tape. Fix a set 5' C L n S", 
a string x in S, and a computation path p in ACC{x). Along such a path p, we assign to intercell boundary 
i a stack content produced after scanning the ith cell and before scanning the i + 1st cell. 

Now, we fix an arbitrary pair {jo,k) satisfying that < 2 jo < k < n. Recall the index set Ajg^k,n — 
{(i, j, u,v) I i G [0, j G [jo, ^]z, * + j < n,u,v G F} given in the lemma. Note that \Ajg^k,n\ < (n+ l)^|Fp. 
Now, we claim the following statement regarding AI and Aj^ „. 

Claim 2 For every string w G L n E", there exist an element {i,j,u,v) G Ajg^k,n, o, string s, and a path 
p G ACC{'w) such that (1) w — xyz with \x\ = i and \y\ = j and (ii) along p, M has a stack content us just 
after reading x and a stack content vs just after reading y, and s is never accessed by M during reading y. 
We call this s the rooted stack content. 

Assuming Claim [2l we continue our proof of Lemma [67T] Let us define the desired series {Ae}eeAj(,,fc_„ 
and {Be}e<EAjg fc „ ■ For each index tuple (i, j, u, v) G Aj„,k.n, we first define two sets xj;]^ and T^-'^^^ as follows. 

• Let T,j;]^ be the collection of pairs (x, s) with s G F* and \x\ — i such that there exists a path p G ACCn 
along which AI produces a stack containing us just after reading ^x. 

(2) 

• Let j ^ be the collection of pairs (z, s) with s G F* and \z\ ~ n ~ i ^ j such that AI starts in inner 
state gi with a stack content vs and AI enters an accepting or a final state g/ just after reading z$. 

The desired set Ai^j^u,v is defined as Aij^u,v = {iz,x) \ 3s G T,*[{x,s) G T.j;^J A (z,s) G Moreover, 
the set Bij^u,v is defined as the collection of y G such that there exist a stack content s G F* and a path 
p G ACCn along which AI starts in state gi with a stack content us and produces a stack content vs after 
reading y, provided that AI cannot access any symbol in s while reading y. 

Clearly, we have Aij^u.v C x and Bij,u,v Q E^ and thus Condition 1 of the lemma 

holds. Condition 2 follows directly from Claim [2l Now, let us observe the following: for any two tu- 
ples (zi, xi, j/i), (z2, 2^2, ^2) G Aij,u,v x Bij^u,v, along certain accepting paths, M's behaviors during read- 
ing yi and j/2 are identical, except for their corresponding rooted stack contents. This makes it possible 
to swap yi and j/2 on these two paths without changing the outcomes of AI. Therefore, it holds that 
{zi,xi,y2), {z2,X2,yi) G Aij\«,t, X Bi,j^u,v, implying Condition 3. 

Proof of Claim [2I We first review a result in [8]. Note that any accepting computation path of the npda 
M generates a length-(7T. -I- 2) series (s-i, so, si, . . . , Sn, Sn+i) of stack contents with s_i = s„ = s„+i = z 
and So = Sz. For any subinterval / = [zo, ii\i of Iq, we call a subsequence 7 = (s^^, Si^+i, . . . , s^J a stack 
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transition (associated) with the interval /. The height at intercell boundary 6 of 7 is the length \si,\ of the 
stack content Sb at b. An ideal stack transition 7 with an interval [zq, ii]z should satisfy that (i) we have the 
same height i at both of the intercell boundaries ia and ii and (ii) all heights within this interval are more 
than or equal to £. 

Let / = [ioj*i]z be any subinterval of Iq and let 7 = (sig, Sig^i, . . . ,Si^) be any ideal stack transition 
with this interval /. For each possible height i, the minimal width, denoted minwidi{t) (resp., the maximal 
width, denoted maxwidi^i)), is the minimal value (resp. maximal value) |/'| (i.e., |/'| — i'l ~ ig) for which 
(i) /' = [jo,«i]z Q I, (ii) 7 has height i at both of the intercell boundaries Zq and i[, and (iii) at no intercell 
boundary i € I' , 7 has height less than £. 

The following lemma in 8 holds for any accepting computation path p of Af. 

Lemma 6.2 Let M be any npda that satisfies the conditions of this section. Let x be any string of length 
n accepted by M and let p be any computation path in AC'C{x). Assume that jg > 2 and 2jo < k < n. Along 
the path p, for any interval L = [i^, ii\z C [—1, n + l]z with \I\ > k and for any ideal stack transition 7 with 
the interval I having height Iq at the two intercell boundaries io and ii, there are a subinterval /' = [«o,*i]z 
of L and a height £ G such that 7 has height i at both intercell boundaries ig and i'^, jo < \L'\ < k, and 

minwidi{£) < \I'\ < maxwidi{£). 

Now, we prove the target claim. Let w be any string of length n accepted by M. We choose = 
and ii = n + 1 and consider the interval / = [ioj*i]z- Choose any ideal transition 7 made by M along 
a certain accepting path in ACC(w). Apply Lemma 16.21 and we take a subinterval /' = [i'o,i'i\z a-nd a 
height £ € [1,'t-]z such that 7 has height £ at both intercell boundaries Iq and i'l, jo < < k, and 
minwidi{£) < \I'\ < maxwidi{£). Define i = i'o and j = |/'|. We decompose w as w = xyz with |a;| = i and 
\y\ = J. Let us assume that 7 has a stack content us of length £ at the intercell boundary Zg (i.e., just after 
reading x) and similarly a stack content vs' of length £ at i'l (i.e., just after reading y). Since minwidi{£) < 
\L'\ < maxwidj{£), 7 never has height less than £ between Zg and i[; that is, M cannot access any symbol in 
s. This implies that s' equals s. Therefore, the claim holds. □ 

This complete the proof of Lemma 16.11 □ 



7 Discrepancy Upper Bounds 

Lemma [6.11 provides two useful series {Ae}e and {-Be}e for our proof of Proposition 14.41 In this section, we 
shall discuss a useful property concerning these series. For the sake of generality, we intend to write A and 
B respectively for arbitrary sets Ag and Be . 

To prove Proposition 14. 4| we want to use a well-known discrepancy upper bound of the inner-product- 
modulo-two function. Through this section, for technicality, we deal only with strings of length 2rz instead 
of length n. Let x = X1X2 ■ ■ ■ Xn and y = yij/2 ■ ■ ■ Vn be any two 2n-bit strings. The (binary) inner product 
is a function defined as x Qy = ^iVi- 

Let M be a square matrix such that all entries are indexed by S^" x S^", where S — {0, 1}, and each 
(cc, ?/)-entry has a value xQy (mod 2). For convenience, we switch our values {0, 1} to {1, —1} and define the 
inner-product-modulo-two function / as f{x,y) = (— 1)^®**. Now, we introduce the notion of discrepancy 
over the matrix M . 

Definition 7.1 For any set T C E^" x the discrepancy of T is DiscM(T) = 2"^'' 

In this paper, we need the following well-known upper bound of DiscM{T)- How to obtain this bound is 
demonstrated in, e.g., [T]. 

Lemma 7.2 For any two sets A',B' C S^", DiscM{A' x B') < 2-^"- ^\A'\\B'\. 

In our proof of Proposition 14.41 we need to consider five individual cases, among which two cases are 
essential to the proof. Each of those cases requires the discrepancy of a certain set T. Prior to the actual 
proof in Section [51 we shall examine those two major cases and give their associated discrepancy upper 
bounds, which are derived by an dexterous application of Lemma [^21 



J2{x,y)GT fi^^y) ■ 
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We begin with the foUowing special case. 
Case 1: Assume that (j, A, B) satisfy the foUowing: n < j <2n, A(Z E^n-i and B CT,^. 



We define a set Tj^^ as follows: let ^ be the collection of all pairs (x, y) G S^" x S^" such that 
there exist six strings xi,X2,X3,yi,y2,y3 G S* with x = X1X2X3 and y = yiy2j/3 satisfying that |xi| = 
|a^2| = 12/2! = 2n - j, l^al = lys], \xiX3\ = j, y2y3XiX2 G A, and xsyi G B. Our key lemma is stated as 
follows. 



Lemma 7.3 For any fixed triplet {j,A,B) with n < j < 2n, A C S''" ^, and B C 
DiscM (r^^ ) < 2"^^ /or any sufficiently large number n G N. 



Proof. Fix {j,A,B), as given in the lemma. Let £ = DiscM{T'^\). Take any element {x,y) G and 
consider their decompositions x — X1X2X3 and y — yi?/22/3, as stated above. Since we cannot apply Lemma 
O directly to T^/^g, we need to find a different way to view T^\. 

First, we introduce an index set -Dj,n = {(2^2,2/2) | X2,y2 G S^"^-'}, which clearly satisfies \Dj,n\ — 
22(2n-i) pixing each index pair (a, b) in -Dj.„, we further introduce two new sets Aa^b and Ba^b as follows. 



• A„ 



{xiay^ I 3a;3,yi G S* s.t. (2:10x3, 2/162/3) G tI^^^}. 
■Ba,6 = {yibx:>, I 3x1,2/3 G S* s.t. (xi 0x3, yi 62/3) G T^^s}- 



Notice that < 2-' since \a\ — 2n — j. Similarly, we have \Bafi\ < 2^. Next, we claim that T'jf'^ is 

"fundamentally" identical to the union U(a6)ei5 i^afi x ^a.f)) over the matrix M. This is stated more 
precisely in the following claim. 

Claim 3 There is a one-to-one map ^ from T^^^ to IJ/ b)eD- {-^a.b x ^a.b) such that, for any pair (x, y) G 



T 



A^B' fJ-i^iV) = ix',y') then f{x,y) = f{x',y'). 



Proof. Let (x,2/) be any pair in T^'^g with x = X1X2X3 and y = 2/12/22/3, as before. We then define 
fi{x,y) = (x',2/'), where x' = X1X22/3 and y' = yiy2X3. Obviously, {x',y') belongs to Ax^,y^ x B^^,^^. The 
one-oneness of /i is trivial from the definition of /i. Moreover, since 



xQy ^ X1X2 2/12/2 + 2^3 2/3 = a;iX22/3 2/12/22^3 ^ x Qy 
it follows that f{x,y) — f{x',y'). 

The above one-to-one map /x helps us estimate the value I as 



□ 



-4n 



< 2 



-4n 



E 

{aM)eDj,., 



(x',y')GAa,bXBa,b 



< E £'isCA/(v4a^b X Baj 

(a,b)e£lj,„ 



which is, by Lemma 17.21 further bounded by 

£ < 2^3" 



E 

(a,b)£Dj,. 



{a,b)GD 



. |v/|Aa^6||Sa.6|| < 2-3"24"-2j 2^' = 2"--'". 



□ 



Case 2: Assume that (j, A, i?) satisfies the following: 2n < j < 3n, A C E"^""-?', and B CT,^ . 

Different from Case 1, we define T^^^ as the set of all pairs {x,y) G S^" x S^" with x = X1X2X3 and 

2/ = 2/12/22/3 satisfying that |xi| = \yi\, \x2\ = I2/2I = 4n - j, |x3| = I2/3I, |xi2/i2/22/3a;3| = j, a;2 G A, and 
X3yiy2y3Xi G i?. We want to show the following claim. 
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Lemma 7.4 For any fixed triplet {j,A,B) with 2n < j < 3n, A C E*" J, and B C E^, we have 
DiscM {r^^g^ < 2^^"^" for any sufficiently large number n g N. 

Proof. Our index set is defined as -Ej^n = {(xi, yi, 2:3, 1/3) | = |yi|,|x3| = |j/3|, |a;iX3| =j — 2n}. Notice 
that \Ej^n\ = 2'^^j^^"-\ Now, for each index e — (a, b, c, d) G Ej „, we define two sets and as fohows. 

• Ae = {aa::2C | 3y2 e S* s.t. {ax2C,by2d) G tI^^b}- 

• = {6y2C? I 3x2 e S* s.t. {ax2C,by2d) £ Tj^^}- 

Since |ac| = |M| = j - 2n, it foUows that |Ae| < 24""^ and < 24"-J. 

Moreover, from the definition of A^ and i?e, we have the following property: if {x,y) £ T'^"'^ with x — 

X1X2X3 and y = 2/12/22/3, then (x,?/) £ ^(xi,ai,x3,2,3) x ^(^^^^y^^^^^y^y In other words, T^^^g C Ue6_E,,„ x B^. 
From this property, we have 

e = DlSCM (t^^^b) < DtSCM{AeX Be), 

which is bounded by 

£<2-3« V|Ae||Be| < 2-^"\Ej^n\ max { ^/\A^\\B7\] < 2-^"2^^-^"2^''-^ = 2^~^" . 

This completes the proof. □ 



8 Proof of Proposition 14.41 

Finally, we shall give the proof of Proposition [44l which states that IP^^^ is gap CFL/n-pseudorandom. 

Let S be any language over E = {0,1} in CFL/n and let p be any non-zero polynomial. Choose any 
sufficiently large number n so that the following argument holds for it. Consider the major case where 

\axyz\ = An with a = A. For notational convenience, let Ui ^ S Ci /Pi^^ n E"" and Uq = S D IP^^^ n E"*". 

Since 

dense{IPi^^ n S){An) - dense{IP^^^ n S')(4n) = |t7i| - |;7o|, 

our goal now is to verify that ||?7i| — |?7o|| < 2''"/8p(ri). 

Since S E CFL/n, we take an advice function h and a language S' G CFL over another alphabet E such 
that, for every string x € E*, x G 5 iff [ hUa^i) ] S S' . We define our magic numbers jo and k as jo = 4n/3 and 
k — 2jQ (= 8n/3), and apply Lemma lOl with these numbers. Unlike Section [H here we use "4n," instead 
of "n," as the length of our input strings. To simplify our notation further, we write ^j^^k for Aj^^kjin by 
dropping the subscript "4n." Note that |Ajp^fc| < (4n-|- l)^|r|^ < 2^'°^" since n is assumed to be sufficiently 
large. Moreover, let us take two series {Ae}ei£Ajg & and {i?e}eeAjQ k given in Lemma 16.11 and fix an index 
e = {i,j,u,v) G Ajg^k for the following argument. 

Since n is fixed, we want to argue how to remove the advice string /i(4n) from the rest of our proof. 
Assuming that h{An) — hih2h3 with \hi\ = i and |/i2| = j, we define two sets A'^ — {zx \ [ ^Ihi ] £ ^e} and 
F^'e — {y \ [ h2 ] ^ ^e}- Unless there is any confusion, for our convenience, we denote these sets A'^ and B'^ 
simply by A^ and B^, respectively. With this abbreviation, it holds that C E"'""*"^ x E^ and B^ C E^^. 
By identifying a pair (z, x) with a string zx, we further treat A^ as a subset of E^"^.'; hereafter, we can 
assume that A^ C E^"".' . Finally, let us introduce a set Se to be the collection of all strings w va S E^" 
satisfying that z'x' £ A^ and y' £ B^, where x' = prefi{w), y' = middi^i+j{w), and z' = sufin-i-j{w)- 

Claim 4 \\Ui\ - \Uo\\ < EeeA,„.. \\UinSe\ - \UonS,\\. 
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This claim is shown as follows. Lemma [6.11 leads to the equality S f) S"'" = |J 
obtain 



^e, from which we 



ll'^il-lt^oll 



E 



< l|t/in5e|-|[/on5e 



Next, we want to show that, for every index e £ ^jo,k, \\Ui n Se\ — \Uo H 5e|| < 2^^"/^. To show this 
inequality, we need to consider five separate cases, of which the most crucial cases are Cases 1 and 2 given 
below. 



Case 1: Assume that < i < n and jo < J < 2n. 

In this special case, we limit our attention to the index set A 



{ihj,u,v) e Ajo^fe I < i < n,jo < 
J < 2n}. To estimate the value m{e) = ||C/i fl 5e| — |J7o n 5*6 11 for each index e G we consider a set 



(1) 

'jo,k 



T, =T 



between and T. 



where T^''^ is defined in Case 1 of Section [T] The following claim gives a direct translation 



Claim 5 For any index e G '^"■'^ ^''^V three strings x,y,z G E* with \x\ = \z\ = n and \y\ = 2n, 

xyz G Se if and only if [zx, y) G Tg. 



Proof. Let e — {i,j,u,v) G ^jjk ^ ~ string satisfying that \x\ = \z\ ~ n and 

\y\ = 2n. Now, we partition w as w — x'y'z' with three strings x' — prefi{w), y' — middij-^-j{w), and 
z' = sufin-i-jiw)- Since < i < n and n < j < 2n, we can express x and y ds x = xiX2 and y = yiy2 that 
satisfy x' — xi, y' = X2yi, and z' = y2Z. 

(Only If-part) Assume that w G 5*6. This makes the pair {z'x',y') belong to x B^. Equivalently, 
{'y2ZXi, X2yi) is in Ag x B^- From the definition of T^'^^ , it follows that {zxiX2,yiy2) G '^a^ b ' which is 
obviously equal to {zx, y) G Tg. 

(If-part) Assume that {zx,y) G T^; in other words, {zxiX2,yiy2) is in 

^aIb,- This implies that 

(il2ZXiTX2yi) G Ae X i?e, which is also equivalent to {z'x',y') G x B^. From this, we can conclude 
that xyz d Se- n 

For the estimation of m(e), we prove the following useful statements. 



Claim 6 



For each index e G A^J,^, \\Ui n Se\ - \Uo (1 Se\ \ = 2^''DiscM{Te) 
(1) 



2. For each index e G A^-^^^,, DiscM{Te) < 2-"/^. 

Proof. (1) Let e be any index in A^|^^j,. Recall the inner-product-modulo-two function /. For the desired 

statement, we first note that f{zx,y) = 1 iff xyz G I Pi . By a translation between Se and given in 
Claim [SI it immediately follows that, for any bit b, 

\UbnSe\ = \{izx,y)eT, I f{zx,y) = b}\ = \T,nf-\b)\. 

Using this equality, we calculate the value 2'^'^DiscM{Te) as follows: 



24"DisCM(Te 



E 



1 



E 



E /(^'y) 

{x.y)eT, 

\T,nr\i)\-\Tenf-\o)\\ = \\Uons,\~\Uins,\\. 



(2) Let e G ^j^V Since Tg = g , Lemma [7751 implies that DiscM{Te) < 2" From our assumption 



3 > jo, it follows that DiscM{Te) < 2^^^° = 2""/^. 
From Claim [H] follows 

m(e) = ||?7i n5e| - \Ua r]S^\\^ 2'^'' DiscM{Te) < 24"2-"/3 ^ 2""/^. 



□ 
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Case 2: Assume that < i < n and 2n < j < k. 

(2.) f2) 

Let ^jji; = {{i,j,u,v) E Ajgjt \ < i < n,2n < j < k}. Again, for each index e G ^jo k^ 
consider Te = T^^' ^ , where we defined T^/l in Case 2 of Section [71 Now, we want to show that m{e) = 
\\Ui n Se\ - \Uo nSeW < 2""/^. We begin with the foUowing claim, which is similar to ClaimO 

(2) 

Claim 7 For any e G ^j„ k '^'^'^ '^''^V ifip^^^ 2;,y, z with with \x\ = \z\ ~ n and \y\ = 2n, xyz G Se iff 
{zx,y) G Te- 

Proof. Let w = xyz be any string with \x\ = \z\= n and \y\ = 2n. Let x' = prefi{w), y' = middi^i+j{w), 
and z' = sufin-i~jiw). Using our condition that < z < n and 2n < j < 3n, the strings x and z can be 
expressed as x = xiX2 and z — z\Z2 with the conditions that x' — xi, y' — X2yzi, and z' — z^- 

(Only If-part) Let us assume that w G Se- We then have {z'x',y') E Ae x Be- This is equivalent to 
{z2Xi,X2yzi) G Ae X Be- This implies that (ziZ2a;i2;2, y) & '^a^b ■ Clearly, we obtain {zx,y) G Tg. 

(If-part) Assume that (zx,y) G Tg. This means that {z2ZiZ2XiX2,y) G T^jP ^ . Hence, by the definition 

of T^jI^ g , we have {z2Xi,X2yzi) G x Be- In other words, {z'x',y') E Ae x Be, from which we obtain 
xyz E Se- □ 

Note that, by Lemma [7l4l since 2n < j < k, we have 

DiscM{Te) < 2^"^" < 2'=-^" = 2-"/3. 

Thus, similar to Case 1, we obtain m(e) ~ \ \Ui (1 Se \ ~ \Uo r\ Se\\ < 2^^"/^, as requested. 

Case 3: Assume that n < i < 2n and 7n/3 < i + j < 3n. 
This case is similar to Case 2. 

Case 4: Assume that n < i < 2n and 3n < i + j < 4n. 
This case is similar to Case 1. 

Case 5: Assume that 2n < i < 8n/3 and i + j < 4n. 
This case is similar to Case 3. 

Overall, we conclude that, for every index e G Aj„,k, m(e) = ||C/i n Se\ - \Uo n Se\\ < 2""/3^ Recall that 
\Aj^,k\ < 23i°s". It thus follows that 



l|c/i|-|c/oll < E WUinSel-lUonSeW < |A,„,,| • 2""/^ 

^ t23\ognt2lln/3 ^ 2l5n/4 

which is clearly bounded from above by 2'*"/8p(n). 

Finally, we need to consider the remaining case where a ^ X. Let ^ = |a| < 3 and define a set Sa = {xyz \ 
axyz G S}. We write aSa for the set {aw \ w G Sa}- It is easy to check that dense{IPi Pi aS'a)(4n + ^) = 

dense{IP^^^ n 5a)(4n) and dense{IP^^^ n aS'a)(4n + ^) = dense{IP^^^ n S'a)(4n). Since S" = IJaes^ O'S'a, we 
thus obtain 



dense{IPi^^ n S')(4n + - dense{IPi^'^ n S')(4n + £) 



< E I dense (/Pi^^ n S'a)(4n) - dense{IPi^^ n S'a)(4n) 

ass* 

24n 2'^^ 

< 2^ — < 



p{n) 



("3") 

Since p is arbitrary, we then conclude that /P* is gap CFL/n-pseudorandom. This completes the proof 
of Proposition 14.41 
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9 Conclusion 



Pseudorandom generators have played an essential role in modern cryptography. Through this paper, we have 
discussed such generators in a framework of formal language theory. It was shown in [5j that a pseudorandom 
generator against REG/n exists and such a generator can be found in CFLSVt. As a next step toward a 
full understanding of pseudorandomness in formal language theory, our main contribution of this paper is 
to have given a proof of the existence of a certain type of pseudorandom generator against CFL/n within 
l-FTIME(0{n2)) but not in CFLSVt. 

To close this paper, we raise a fresh question of whether "easy-to-compute" pseudorandom generators 
exist against CFL(fc) / n, where CFL(fc) consists of languages made by k intersections of context-free languages 
(see i). 
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